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(S4] Abstract Title: A method of controlling the processing of data 

(57) A method of controlling the processing of data, is provided 
comprising defining security controls for a plurality of data 
Item 5. and applying Individuaflsad security rules to each of 
the data Items based on a measurement of Integrity of a 
computing entity to which the data hems are to be made 
availabte. 

For example, data items 62.54.58,60 are transmitted 
according to specific security rules in a definitions section 
50, the rules specifying how data is transferred for each field 
according to an assessed level of trust or integrity of the 
location to which the data is to be transferred. The 
security/usage control could be more complex to apply 
masking means such as an encryption key for masking 
and/or encrypting an item of data 



Definitions; 

H, alweys contact owner. 
M. only sent to tnjsted ptatforms. 
50 L. raqwe identity of recipient only, 
0. none. 



DATA 

''I 

54 Surname: 
gg Fwenante: 
"^Postcode: 
County: 
City: 
Road: 
Gender 



60 



Age: 



H 
L 
H 
M 
M 
H 
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Spedfic njle, round to nearest 5 
unless platfomi trusted 

^61 



TESTDATA-S^^** 
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Oummy name: Smith - 
Dummy age: 35- 
Dummy address: Mytoum^ 



Fig. 3 
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At least one drawing originally filed was informal and the print reproduced here Is taken from a later filed formal copy. 
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Question no. Question 

1 . AGE ? 

2 GENDER? 

3 NAME? 

4 ADDRESS ? 



25 HAVE YOU HAD OR 

DO YOU HAVE DISEASE X 



Fig.1 



22 



^ Fie 



r 



20 



24 -A Fietd 1 Security control 1 

26 ^ Field 2 Security control 2 

Field 3 Security control 3 



Fig. 2 
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Definitions: 

H. always contact owner. 
M, only sent to trusted platforms. 
50 ^ L. require identity of recipient only. 
0. none. 



DATA 

52 

54-^^Sumame: H 

gg ^Forename: L 

^ Postcode: H 

County: M 

City: M 

Road: H 

gQ Gender: 0 

Age; Specific rule, round to nearest 5 



unless platfonn trusted 



TESTDATA-^^^ 

Dummy name: Smith ^^^^ 
Dummy age: 35 — 

73 

Dummy address: My town 



61 
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400 



Getproforma 



410 



Populate user 
data 



420 



Set user security 
options 



430 



Generate components 



440 



7_ 



Connect to internet 



Fig. 4 
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600 



Apply mask 



610 



Erase symmetric 
mask 



620 



Send data 



630 



Node accepts 
and signs data 



640 



Insurer contacts node 



650- 



Node examines 
statements of work undertaken, 
match found ? 



Yes 



660 



Send data 



670 



Receive quote 



680 



Encrypt data, 
append ID and 
publish 



.-.Rg- 6.. 
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700 



7- 



Send data 



710 



Node accepts data 



720 



Insurer contacts node 



730 



7. 



Node examines 
statements matching 
statement 



740 



Receive executable 



750 



7. 



Do processing 
at node 



760 



7. Append data, encrypt, 
add ID and send 



Fig. 7 
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A MKTHOP OF CONTROLLTN O THE PROCESSING OF DATA 

The present invention lelates to a method of controlling the pioccssing of data, such as 
5 private data. In particular the method relates to controlling access to the infonnation 
contained within tire private data. 

h Older to ensure that the processes handling the processing or transfer of data do not 
become subverted or corrupted it is advantageous to be able to ensure that a computing 
10 platform is trustworthy. Such computing programs are known as trusted computing 
platforms. 

A trusted conq)uting platform may be, for exaiiq)le, of the type desCTibed in 
WO0(V48063. Thus the computing platform inay contain several trusted c^ 

15 which may operate at different levels of trust. The trusted con^sartments isolate the 
processes running within the con^iartmait fiom processes in other coir5)artments. 
They also control access of the processes or applications running thercm to platform 
resources. Tnisted con^jartments have additional propaties in that they are able to 
record and provide proof of the execution of a process and also provide privacy controls 

20 for checking that the data is bemg u^d only for permitted purposes and/or is not being 
interrogated by other processes. 

The "walls" of compartments may be defined by dedicated hardware or by being 
defined in software. 

25 

Such tnisted computing platform (TCP) architectures are based around the provision of 
a trusted component which is tamper resistant or tamper evident and ^ose iritcmal 
processes cannot be subverted, A TCP preferably includes a hardware trusted 
component v^dt allows an integrity metric (ie. a summary of an integrity 
30 measurement) of the platform to be calculated and made available for interrogation. It 
is this device which underpins the integrity of a TCP. The trusted component can help 
audit the build of the platform's operating system and other applications such that a user 
or operator can challenge the platform to verify that it is operating conectly. 



Co-paiding qjplications of flic qjplicaot, such as European Patent i^lication No. 
Q22552455 (aititlcd "Privacy of Data on a Canq)utcr Platfonn** filed on 26 July 20Q2, 
disclose that it is possible to provide an audit process that can verify that a process can 
be ran on a truBtcd computiag platform, that access by the q)entor or owner of flie 
trusted computing platform to flke processes is inhibited, and that access to flie audit 
information is xBstricted. 

In a prefcned inq)lementation the audit process exists within a trusted component 
thatby ensuring that its operation cannot be subverted. The results of the audit art 
goicrally stored in protected or encrypted form in memory within a trusted confuting 
platfomL The audit data is itself partitioned into sets such that investigation of audit 
data in one set does not disclose the data in other ones of the audit sets. The trusted 
component may make an assessment of one or more con:q)uting platforms which 
request the audit data If the platform is on an unknown or untrusted type, and/or has 
unqiproved means for viewing the audit data, then the data may be wifliheld 

It is advantageous to propagate private information flnough a oonq)utcr platform or 
system or network, to take advantage of resources and soviccs. Trusted computing 
platforms, of the type described previously, for example, may provide a safe processing 
environment for private infonmation provided that the owner of the private data retains 
control over the private information. 

According to a first aspect of flie presoit invention there is provided a method of 
controlling the processing of data, wherein the data comprises a plurality of usage rules 
for a plurality of data items, and applying individualised usage rules to each of flie data 
items based on a measurement of integrity of a con5)uting entity to which the data items 
are to be made available 

It is thus possible to provide a method of controlling access to data in which each data 
item has individual usage rules which may comprise individual mask data. 
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The usage rules may define fire use ibrwhidi the data can be used and/^ die security to 
be applied to the data items. 

The data items may be fields within a blodc of data. Thus a data item might be an 
individual's age, another might be their surname and so on. Preferably the data is 
private. 

Preferably each data item can be made confidential by masking it. This may, fbr 
example be achieved by encrypting the data item with its own associated enoyption Icey 
preferably. Preferably the encryption ke>« fbr different data ttenis are difi^^ Thus, 
in essence, each field is preferably individually maslcable by (he use of encryption or 
other forms of masking. A list of and associated data items and/or other data can 
be considered as being mask data. When masking is done by encryption means, the 
mask data includes both masking (encryption) keys and also unmasking (decryption) 
keys if the decryption key is different to the encryption key. 

Preferably the computing entity or platform that gmerated the mask Hfl tn, such as 
encryption keys, retains the mask data or the ability to regenerate the mask data for as 
long as it has an interest in the data. 

A separate copy of the usage rules, which may include made data, is advsitageously 
held with each cq>y or instantiation of the private data. If a data item or field within the 
data is masked by the use of encryption, the coireqxmding iiTwnafiiritig entry in the 
corresponding copy of the mask data is erased. If data is masked using symmetric 
encryption, the corresponding tnaslring entry in the copy of the mask data is al^ erased, 
because in such cases the masking tastiy inhereotly provides unmasking information. 
The contputing entity that wishes access to the masked data can be required to contact 
the entity that generated the mask to obtain the means to unmask the data. Alternatively 
the computing sitity that generated the mask may supply means to the entity that 
wishes to access the data to enable it to regenerate the mask and to thereby acquire a 
local copy of the unmasked data. 
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Imfividaal data items may have individimlisfid usage nilM flgy>cifltftd with them, Thusa 
user or owner of flie data may be happy to allow infbnnation concening the owner's 
gender to be made available as that data qyplies to roughly 50% of any population and 
haice does not aUow the individual to be identified However some owners may be 
5 vey conscious that they do not wish to give out full address information or post code 
(zip code) information as it enables them to be identified, either individually or as a 
member of a small group of people. An owner of data can therefore individualise the 
security rules for each data item. 

10 The data inay be required by a plurality of corrq)uting entities. The instantiation of the 
data at any entity dqwnds on the c^abilities of that entity but preferably inchides all 
the data, and even more preferably masking data, masked data and unmask A 
computing mtity may be a conq)utff platform or it may be a service, process or 
qyplication runnii^ on the conq)uter platform. 

15 

Thus different applications which constitute different entities on flie same conpiting 
platform may be presented with differing views (instantiations) of the data. 

A conqmting entity, eithcar hardware or software, is oftoj called a "node" and this term 
20 will appear hereinafter. 

Preferably the conqjuting entity is or is executed on a trusted computing platform. 

Preferably vAim data is transfored between computing platforms it is transferred in a 
25 secure manner, for example in confidential form with proof of origin, authenticity and 
integrity, and any such security measures taken for tiic transport of data are preferably 
in addition to any security measures acting on the data iims by virtue of security 
controls in their usage rules. 

30 Thus, it may be presumed that the information is made available only to the intended 
recqjicnt Even if the data is in encrypted form when being passed by the transport 
processes between nodes, the data once it arrives at a node can be considered as being 
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inplaia^finn, except for those data Mds^ch the suppE^ 
toinasklqrvirtueofihe security nUesappfied to particular data 

fttfenAlyacomputing entity oriuKle can rcliablyandim^ 
5 selected data itemscurrentlynnderits control. 

llie data advantageously is signed Iqr the leceiving en% 
conq.uting entities. The signature n«y be calculated by itrference to the non-nuisked 
data items within the dat^ TT» key ««d to sign the data is a secret kept by the 
10 computing entity signing the data. Hie con«pondingpubUc key is theieaftcr included 
withinthedata. Signatures and/or the conespondingpubKc key may be used in an audit 
tnul to verifythatanodehas salt data or toprevcntfidse accusation of 

Pitfciably the data is associated with constraints which define and/or limit the purpose 
15 for^chthcdatacanbeused.whe^itmaybepropagated.atimefiameinwhichthe 

data may be used or propagated or manifested, and the parameter that 

platfoims must satisfy. 

Advantageously the data comprises both «a] data, such as real private data, and also 
20 test data that has a structure similar or congruous to that of the real data an^ 
innocuous. TT»u. release ofthe test data is unlikely to evoke undesirable con^^ 
but can be used to examine the perfomiance and/or security or integrity of a node to 
which the real data may be released depending on the results obtained using the test 
data. 

25 

Preferably hostage material may be delivered to the owner of the data orihe node 
issuing the data. He purpose of the hostage material is to provide means of 
compensation or redress to the owner of the data if it tnuupires that the ^ 
misused or that constraints imposed by the ownerofthedatahave not b«^ 



30 



Atnisted third party may ,«ed to becontacted in order to activate the hostage m^^ 
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Advantageously a node that finds itself in possession of data (ie. private data, whose 
history is unknown, dubious, or in some other way undesirable for example because the 
history or content of the data do not meet requirements, for example, because a new 
"security poKc/* has changed predetermined rcqmrancnls) formats the data, preferably 
5 using a public encryption key ^*ich is transported as part of Ac data, and places the 
data in a rqwsitoiy. The rqwaitory m^ be open to inspection by certification and 
policing authorities. Advantageously the repository contains encrypted data, with the 
means associated with the data to oable the owner of the data to identify it 

10 The means eiabling the owner to identify the data may be an identifier automatically or 
manually associated with the data by the owner of the data. 

It is possible that data processing may start at a first node and later on involve another 
node that abeady contains an instantiation or manifestation of the same private data. 
TTiis may be because use of the private data requires access to othw (possibly secret) 
data that does Mt exist at the first node. Alternatively the other node may contain an 
unmasked version of the private data and may also advantageously contain other data 
that can be used to unambiguously identify the entity (which is likely to be the owner of 
the data) (hat deterniined the constraints that arc associated with and «CTly to 

The nodes may be iionnal coiiqmting platforms, ie. PCs a^ p^^^^^ly 
the nodes have the architecture and functionality of trusted computing platforms and 
most prefoably are arranged such that access to data and the results of processing on 
the data is set solely by constraints associated with the data Thus the computing 
platform owner or administrator cannot obswve the data or the results of the processing 
if such obsffvation is not permitted by the constraints associated with the data. 

Preferably the data is manipulated by nodes comprising a trusted computing platform 
running a conq)artmentaIised operating system, with some of the con^artments being 
secure and one of the conq)artmcnts running an audit portal as described in the Hewlett 
Packard patent plication titled "Audit Privacy" and whose techniques and teachings 
are incorporated herein by reference. 
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15 



20 
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Thus the audit portal and an associated audit viewer nnmiug in another compartment 
stores audit infbnnalion using enoyption, and stores the decryption keys in a trusted 
computing module protected storage function. The audit viewer provides the only 
method of viewing (he audit data. 

The tnisted computing module makes integrity measurements of the operating system 

and win only lelease the audit keys to view the audit data if the operating system is in 
the collect state. 

The adnmustrator can run any application he likes or change the operating system 
(because te is the administrator) but if he alters any setting that affects the mandatory 

audit ami/or viewing properties, thus seeking to give himself lights to view the data, the 
trusted computing module measures the diange and wiU not release the keys diat 
provide access to data. 

Preferably flie data is mabled for use by the computing entity via ciyplogr^hic keys. 
Prefiaably such cryptognphic keys or at least one key providing access to those keys or 
other means of enabUng access to the data (such as logical infomiation or addressing 
in&raiation) are stored within the trusted conq)uting module and can be erased via 
instructions originating from the private data or via signed signals received by the 
trusted conpiting module. 



Preferably the data can contain audit instructions. The audit instruction may contain or 
ccsBpiisc contact infonnation.that enables, or mdeed requires, messages to be sent to 
25 previous nodes that had propagated the data. The data may prescribe flie fiequency 
wift which previous nodes must be contacted. It may also prescribe the number of 
contacts, failed contacts or propagations that the data may undergo before any 
instantiation of it must be erased. 

30 Advantageously prior to copying data to another computing entity a check is made on a 
propagation control rule or word which controls whether further copies of the data are 
pemiitted. The rule may contain a copy count that is modified each time that data is 
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pnqwgated. If further copies are pennitted, flie confuting entity creates a toiqwraiy 
copy of ite own inslantialion of flie data and signs all die unmasked fields of the data if 
the cuirent fflgnature is unsuitabk or no such dgnature cjdsts; for eMfflple if all 0 
data or additional data was created on fliisconq)Hting entity. The confuting entity dien 
inlarogates the destination entity. Sudi intenogatipns may for example be in 
accordance with the 'TCPA design philosophies and concepts" vereions 1 and 1.1 
published by the tnuted computing platfimn alliance. Hie cun«nt URL of which is 
www.tiustedpc.oig or www.tnistedcomputing.oig. Refiacnce should also be made to 
"Tnuted computing platfonns: TCPA technology in contcjrt", Balachef? Chen, 
Plaquin, Pearson & Proudlcr (Ed; Pearson), published by Prentice Hall, BBN 0-13- 
009220-7. 



Depending on the privacy mechanism and privacy policies sqjpoited by the destination 
entity, the conpiting entity pr^aring to send the data masks none or some or all of the 
15 data items in its tenqwrary copy in accordance with the individualised security rules 
relating to those items and/or global rules set by the owner of the data. A recipient 
therefore receives only the unmasked data that the rules pemiit him to receive. 

The entity preparing to send the data may then, when !9>propriate, erase the 
20 coneqwnding copy of the unmasking data (eg. a synmietric key or priva^ 

koy) in the toi^wraiy copy, and may erase flic conwpoirfing copy of tte ma^ 
(eg. a symmetric key) in the ten^onoy copy. TTie tenqionBy copy of the data is then 
sent to flie receiving conqiuling entity where it becomes fliat entity's instantiation of the 
data. 

25 

Upon receiving the copy of data, the receiving entity generates any new secrets that will 
accompany die data in future, such as a new signing key. It then increments die copy 
control word (ttus m^ have been done when prq)aring die copy for transmittal) zai 
signs ibe data widi a new or existing private signing key and appends die new public 
30 signing key to die data. 
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The receiving entity may fiuther process fte received data, and fully or part processed 
results as a result of executing processing on the data may also accompany the data in 
future. 

5 Where the data has no return information, therdyy preventing its owner from being 
traced via the return infonnation, the data may need to be published so that its owner 
can pick it up. The published data may include the results of ptxKesses, such as 
tendering, perforaed on the data. 

10 Preferably such publication is performed by encrypting the data using a public key 
contained within Ae data. This may ensure that the data can now only be viewed by its 
ri^tfiil owner. An identifier defined by fte owner is then appended to the data. The 
identifier may be a random sequence, say 20 bytes or so long, which the owner's data 
processor will search far. Alternatively, an identifier is appended to the data and then 

15 the data is encrypted. Thus an owner of data m^ choose to perform speculative 
decryption to search for the identifiCT. 

The data is then published in one or wort predefined depositories where the owns* can 
search for it Data may be published more than once, and may be encrypted using 
20 different public dq)05itory 1^ associated with tiie data. 

Advantageously a computii^ platform may test plications to determine their 
suitability to process the data. Such tests may be done frequimtly. Tests m^ involve 
the use of test values in the data or associated with tiie data. The results of such tests 
25 may be published, for example, by one of the methods described previously, such as 
encrypting the data using a public key contained within the data, appending an identifier 
to the data, and dqwsiting the data within a dqx>sitory. 

According to a second aspect of the present invention, there is provide a method of 
30 controlling the processing of data, wherein the data comprises a plurality of rules 
associated with a plurality of data items, said rules acting to define the use of the data or 
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security to be observed when processmg the data, and in wWch 
perfomed in accordance with mask means provided ia association with the rules. 
According to a third aspect of the present invention thar: is provided a processing 
system for processing private data, wherein the pri^^ data conqirises a phaality of 

data fidds ami each field is assodated with customisation data that controls the use and 
propagation of the data, ami wherein the processing system is subservient to the 
constraints deferred by the customisBtiDn data. 

According to a fourth aspect of the present invention there is provided a computing 
device ananged to receive data and security rules associated with the data, and in which 
forwarding of flie data is performed in accordance with the masking means supplied 
with the security rules instead of with masking means belonging to the computing 
device. 



IS Embodiments of the present invention wUI fiather be described, by way of example, 
wifli reference to the accompanying figures, in wljich; 

Figure 1 iUustrates the type of questions that may occur when an individual is seeking 
insurance; 

20 

Figue 2 schemalicaUy illustrates a simple data structure in accordance with an 
embodiment of the present invention; 

Figure 3 iUustrates a single embodimmt of security rules withm a data set foruse with 
25 the present invention; 

Figure 4 is a flow chart illustrating the steps performed in the creation of a data set; 
Figure 5 illustrates the architecture of a trusted platform; 

30 

Figure 6 iUustrates operation with regard to an untrusted node: and 
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Figure 7 illustrates operation with regard to a trusted node. 

It is now possible to conduct many business transactions electronically. Such business 
transactions, or the process of tendering for such transactions, may involve the transfer 
5 of sensitive or private data firom party to party. Ttansfer of data between unidotified 
partis can also occur witiiout the knowledge of flie owner of the data. This is best 
illustrated with a simple cxanxple. 

Siqyposing that an individual wishes to obtain health insurance. Health insurance 
10 companies seek a &irly detailed inspection of an individual's medical history before 
issuing a quote. Furthermore the quotes issued may vary significantly firai insure 
msurcr. 

It is wen known that insurance brokras make their business by conq)aring fee quotes of 
15 many insurance conq)anies and flioi oflfcring their client the best or a list of the best 
policies. 

Such SCTvices are now available over the IntcmeL The individual may log on to a 
server of a broker and may be required to fill out a form detailing personal information 
20 to enable a quote to be derived. Figure 1 shows a table where the questions asked and 
our hypothetical individual's responses are summarisML 

The questions, for example questions 3 and 4 relating to name and address, seek 
information that is su£5cient to uniquely identify the individual. Other questions probe 

25 the medical history of the individual and may relate to data tiiat the individual would 
not want known to others. Thus, for example, question 25 asks a specific question 
about treatment of a specific disease X. Disease X may be a disease that carries a social 
stigma or a real and continuing risk to the heahh of the individual or ofliers close to that 
person. In order to get valid insurance an individual has to disclose the existence of 

30 disease X. However, they may be rehictant to do this since the form also contains 
information to uniquely identify them. 
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Following completion of the fonn, the brokers computer then contacts other computers 
owned or run by insurers and sends the results of the questionnaire to them. 
Thus the individual has lost control over his personal information and has no idea 
where it has been sent, or indiat processing is beuig performed on that information. 

5 

As will be esqplained below, Ae use of conqnitational systems constituting 
embodiments of the present invention allow a user to engage in electronic business 
transactions and tendering processes, but also enable him or her to retain ownership and 
control of private information. 

10 

It is iinportant that an owner of private data can be assured that their data wiU be stor^ 
in a trusted environment and that the data will be handled in accordance with known 
and relid)le rules without the risk of any process subverting or disobeying those rules. 

15 It is beneficial at this point to clarify wbsi is meant by private data, and to compare and 
contrast it with odier data types, such as secret data and public data. Public data is data 
which is in an open form and is in the public domain. Thus anyone can have access to 
the data, although of course there may be restrictions about what they can legally do 
with that data. Secret data is data that is not intended to be disclosed. Private data is 

20 sensitive data which is not public data but which may need to be disclosed under certain 
conditions, such as conditions of confidentiality, to a third party. 

A user needs to define their data and to indicate the security or confidentiality control 
that is to be applied to that data. Figure 2 schematically illustrates an example of how 

25 user data can be organised in accordance with an embodiment of the present invention. 
The data, which is provided as a block 20, is subdivided into a series of divisions. The 
divisions may relate to specific information topics or may relate to specific items of 
information. In this later option each division is effectively a field within the data block 
20. For the purposes of illustration only. Figure 2 shows only the first three fields 22, 

30 24 and 26 of the data block 20, although it will be predated that the block can 
contain much more information. Each field has its own security CQntrol. Thus field 1 is 
associated with a usage confirol 1 or a security control I, field 2 is associated with 
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security/usage control 2 and so on. The security/usage controls may be held integrally 
with the data, or in a differait file or location provided the association can be 
maintained. 



nie secnrity/asage control can be a simple indication of security level which is applied 
to the fieM, or it may be more complex and include masking means (such as an 
enoyption fay) to be used for maakiqg/enciyptiiig that paiticuhr item of data, and/or it 
may inchide a definition of rules or tests that are to be applied in oider to define the 
circumstances under which the item of data may be released or propagated. 

Figure 3 schematically ilhistrates a veiy simple security scheme where individual 
security levels are set for individual fields. Thus a user may for example set a High, H, 
security value in relation to his name such thai his name is never passed to a third part 
without him having been contacted to exphcitly authorise this. The individual may 
however allow data about address infonnation, for example his country of residence, to 
be given out to third parties who themselves satisfy the criterion of being trusted. 

Mechanisms for detemiining whether a party is tiusttriwiU be described htcr on. The 
individual may be feirly relaxed about givi^g details of his forename or gender and may 
chose to qjply onfy a low level of security to this data. 

Specific security rules may be set in a definitions section 50 relating to the fields 52. 54, 
56 of data. However, some items of data, such as age in this example, item 60, may 
have a specific rule associated with them, thus rule 61 specifies that the age is rouided 
to the nearest 5 yeais unless the computing entity requesting the data is a tnist platform. 

The data also includes test data 70 that may be used to intenogate the performance of a 
node. Thus die test data may include a dummy name 71, dummy age 72 and dummy 
address 73 as part of the entire set of test data 70. 

fa general each set of private data wiU comprise infomiation rehting to the peison or 
entity as well as other components relevant to ensuring integrity of the data. Thus, in 
general, the data may contain: 
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Personal tnfoimatioii, such as: 

• Name 

• Address 
5 • Age 

• Income 

• List of possessions 

• Cuneat contractual commitmciits ( subscriptions, mortgage, loans etc.) 

• Deaires and like8(holid^, music, type of car) 
10 • Applications 

• Files 

• Medical histoiy 

• Location 

15 plications, wbich may contain one or more of: 

• A desOTptionofthcconq>utingcnvinfflmcnt necessary to execute t^^ 

• Alistofthcpmposesforwhichtheqjplicationmaybeused 

• A desaiptionofthe fields to be produced by the processing 

• Tcststhatmaybepcrfonnedonftcfieldstobeproducedbyftepiocw^ 
20 • Hostage material and a description ofthe procedure for making th^ 

accesnble. 

• Tests to be applied to a third party computer in order to execute 
within the 3id party conqiuter. 

25 The other components that will typically form part of the private data may inchide: 

• Test vahics that are congruent to the basic set ofprivate data, that is they m^ 
style and data type the real data within the private data. 

• Vahies such as TCPA's PGR vahics (see the TCPA specification - referred 
30 hcrembefbrc) that indicate the policy system (the platfbrm/software architecture) that is 

used to enforce the privacy of the private data. 
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• A private data ID which is typically a numeric vahie or character sting which is 
large eoough to reduce the diance of random collision with another ID in a system of 
interest to below an accqjtable level of jHobability. 

• Public keys for encryption of data. Such keys may include a public dq>ositoiy key 
5 for use when enciypting data prior to deposition m a repository, and keys used to verify 

signatures <n data 

• Constraint data. The constraint data, which is part of the security control data, may 
inchide a list of purposes for which the data may be used, a descrqrtiQn of the fields to 
be iHoduced by processing of the data, and tests to be nm on the fields resulting fiom 

10 the processing of the data. 

• A stage identifier, which is a count which is modified each time to indicate how 
many times the data has been used, that is processed or propagated, together with an 
upper limit for preventing liiithcr use of the data once a preset number of uses has 
occurred. 

15 • Contact infonnation identifying the addresses of nodes that have used the data, i.e^ 
processed or propagated the data. 

• Symmetric mask data such as arandom string or a symmetric key. 

• Asymmetric mask data, such as an asymmetric public fay and private key pair. 

• Logical masking data, this is an instruction, for example a flag, to instinct the 
20 recq>icnt not to read the data. 

• Identification of the trust domain within ^ch the data rosy be copied and/or 
identification of domains fix)m ^ch the data is excluded 

Si^ose that an individual creates a description about himself on his PDA. That 
25 description may have been produced in response to a proforma (step 400, Figure 4) 
seeking the information necessary to fill in an plication for insurance. Thus tiie form 
may include details such as name, age, occupation, address, previous insurance history, 
infonmtion about his car, motoring history and relevant medical conditions. The user 
populates the form with data at step 410 and then selects his security options at step 
30 420. The PDA has access to a signature key that is used by the individual to indicate 
his approval of the data, by signing it with the signature key. The key may be held 
within a user's smart card or similar or may reside withm the PDA. 
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The PDA appends to the data estered by the user other s up po rti ng private information 
at step 430, such as innocuous test values that azt CQngrueut (i.e of conq>atable type) to 
the peraonal information, TCPA-PCR vahies thai indicate the range of platfomis that 
may host the private data, a randomly chosen data ID V8hie» a dqwsitoxy key, apid)lic 
key used to verify a dgnatuit over all the private data, randomly derived nnwV data 
sufficient to mask all the fields of the personal desmption, a statement indicating the 
intended function of the data, thatistfaatitisfiruseinthe generation of a quote for 
vehicle insurance, a statement giving constraints of h>w &r the data m^r be propagated, 
thus propagation may be limited to within the United Kingdom only; and a contact 
address of the PDA. 

Following generation of sudi information the indivichial connects his PDA to the 
Litanct (stq> 440) and the PDA contacts a search engine, or altcmatively uploads the 
data to a tnisted host that contacts a search engine, to locate nodes that die willing (and 
able) to host private data. We will sq>pose that two nodes are located, one being an 
oidinaiy untrusted conqniter platform whereas the second node is a trusted computing 
platform that provides controlled and audited levels of privacy. Purely for illustrative 
purposes, the ordinary untrusted computer platform scenario uses symmetric tififlaV data. 
(The trusted con5)uting platform scenario does not do any masking.) The ordinary 
untnisted computer platform does not pcnnit execution of external applications. In any 
case, it provides no means for die source of such q^Ucations to verify that the platform 
is a safe place to execute such applications, so it is by no means certain that the source 
of such applications would want to execute applications on the ordinary untrusted 
conyuter platform. Jn contrast, in this example, the trusted conq)uting platform does 
permit cxeoition of extemal applications. 

Mentifviny a tr usted platform 

Tlie ability to trust a platform underpins the inq)lCTxcntation of the present invention. 
Security systems have traditionaUy relied upon placing securify features at the 
q)pIication level. Whilst this is an enhancement it does not guarantee that the operating 
system or BIOS has not been tampered with. 
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WO00/480d3 discloses a ttusted component built into a caapjOei platfimn. Hie 
trusted component comprises both built in hudware and a software entity. 

He tnisted computing platfoim, for example as iUustrated in Figure 5. includes an 

5 °Wpnt device such as a VDU 502, or a printer 504; inprt devices such as a k^ard 
506, a pointer which typically is a mouse 508 and a microphone 510. Tliese intoftce 
with the computer 520 which has a data processor 522 which interacts over a bus 524 
with a mass storage device 526, semiconductor readable and writable memoiy 528, and 
a read only BIOS 530. In fact, the BIOS 530 may be implemented in a rewritable non- 
10 volalfle technology such as EEPROM so that it can be rewritten with care. Tlie 
computer also inchides interface cards, such as video 532 ami souid cards for 
interfiicing with the peripheral devices as weU as communications paflis, for example a 
univenal serial bus 536. 

15 A tmsted component 550 is also inchided within the computer. The tnisted component 
550 may itself have a direct mteifiice 552 to user input/output devices. Tlius, for 
example the keyboard 504, mouse 508 and monitor 502 may be comiected to a suitable 
interfice 52 such that the user can be assured that data ou^ut on the monitor 502 or 
received fiom the keyboard 504 cannot be interfered with. 
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The tnuted component 550 is a tamper resistant hardware component which is 

manula^ in accordance with strict rules and whole operation is assured because 
internal computational processes cannot be subverted. 

25 The trusted component 550 may however be influenced by entities having appropriate 
authentication and authorisation mechanisms. 

IVpically the trusted component 550 wiH monitor the files and/or data contained in the 
BIOS, operating system and appUcations run on the computer. The monitoring is 
30 dynamic and allows measurements of the computing environment to be made. Hiese 
measurements are stored in a reserved memory. The reserved memory may exist within 
the tnisted componoit 550 and also in the smiconductor memory 528 and mass- 
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storage memoiy 526. Tie resent memory may store Ihe results of the measuremaits 
of the files and appUcadons imming within the system. Digests of the measurements 
are known as integrity metrics and are stored in a pmteeted fbnn m the reseived 
memoiy of the tiusted conqjonent 550. 

B should be noted that any taiget platfinm could have a mimber of diiferent stales of 
trust TTius, where a platforai hosts a plurality of dtfierent processes some may be 
trustworthy for a given purpose, otheis not, and some may satisfy some tests of a 
tnistworthy site and have &iled otfaere. 
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During the test to identify the nodes, the target nodes are interrogated, for example 
usii« an integrity chaUeiige of the tjpe described in the TCPA specification, and the 
responses together with supporting information about the host platform's security 
policies and the user's policies are evahiated to determine whether a target wiD be asked 
15 or allowed to tender fw the business. 

Having identified the untnisted first node, the PDA creates, or the trusted service at the 
btemet host creates, a firet copy and masks out those items which the user has defined 
as being sensitive at step 600 of Figure 6. Thus the name, address and PDA contact 

20 address fields (fields that have H or M securify in Figure 3) may be masked out such 
that it is not possible to identify the owner of the data. Any symmetric mask means are 
then erased fiom the data at step 610 to prevent that mask being available to the 
recipient to umnaak masked fields. The PDA or secure Internet service then sends the 
data to the first node at Step 620 which accepts the data and signs it with its own 

25 signature key at Step 630. Tlie signature key is newly generated for the data and hence 
is unique (or at least exceptionally rare). 

An electronic service fiom an insurance company trawling for work contacts the node 
at step 640 and semis one or more stetements indicating the types of work for which it 
30 wiU give quotes. The node examines the statements at step 650 and if a matehing 
statement is found, for example -MOTOR VEHICLB INSURANCE" then control is 

passed to Step 660 where the data is sent to the insurer together with an identifier such 
that the result returned fiom the insurer can be matched to the data. After receiving the 
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rctumfid quote at step 670. the first node appends the quote to the data and oiciypts the 
data with the public key of a pubKc-private fey pair, the pubBc key being in the data 
provided by the user. The node then appends the © (unencrypted) to the enaypted 
data and publishes on its wd> site at step 680. 

The individual seeking the quote flicn occasionaUy visits the web site of the first node, 
making sure to capture (ie. download or view) sufficient objects to prevent a malicious 
observer deducing an interest in any given pubUc object. When an individual finds a 
published object that maldws his or one of his ZD's, the individual then atteaspta to 
decrypt the object and unmask any masked fields. If the decryption succeeds and/or the 
decrypted object contains unmasked data that matehes that of the individual and/or 
contains a signature that matches the individual's signature for all of his private data 
then the individual can be assured that the object relates to him. 

If the individual wishes to accq)t the insurance quote, the individual contacts the 
relevant insurance company. In order to prove to the company that he has received a 
quote and to allow them to process the request fiilly. he provides the original copy of 
his private data and the decrypted copy of the published version of his private data. 
This provides sufficient data for the insurance conqpany to verify that one of its agents 
proposed the quotation and that the first copy provided to it was derived fiom the 
original cq)y of the private data. The individual and the insurance company can ften 
exchange a contract of insurance. 

Alternatively, it may be acceptable that the individual simply sends flie requested 
payment via an anonymity service to the insurance company and receives a receipt 
thereof to confirm that insurance has been issued. The individual only needs to contact 
the insurance company when he has to make a claim against his insurance. The 
individual sends the original copy of his private data and the decrypted copy of the 
published data in order to allow the insurer to verify that it has underwritten ttie 
individual. 
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h the case of dealing with a trusted second node, the PDA or secure service makes a 
copy of the private data and sends the data to the second node at stq> 700 of Figure 7. 
The trusted second node accepts flie copy of the private data, generates a signatuiv key 
and signs the data at step 710. 

s 

Now, vAm an insurer contacts ibt second node at step 720 the node exammes ttie 
statanents in the desaqrtor of services sent by the insurance company and if Ae 
company can ofTff a quote for motor insurance, (he second node allows die insurance 
con^jany to execute its quote service on the private data, by sending an executable to 
10 the second node (stq) 740). Ate the second node has calculated the result (stq) 750) 
the second node copies the private data, sppaOs the quote details, encrjpts the data 
with die user's public lay, appends the ID and sends the result to the PDA contact 
address detailed in Ac private data. These tasks are performed at step 760. 

15 Tlie individual recdves Ae object and attempts to decrypt i^^ If Ae decryption is 
successful then Ae individual can be feirly certain that Ac object is intended for hnn. 
However, this can be confirmed by checking if Ae decrypted document contains 
personal data that matches Ae individual's private data and/or Ae signature on the 
unmasked data matches Ae individual's signatme. 

20 

If Ac individual wishes to accept Ae quote he can contact Ae insurer as described 
above. 

In variations on Ae service Ae trusted node; may not initially rdcasc Ae private data to 
25 Ac service providers. Instead Ae trusted second node may be instructed by Ae security 
conditions imposed by Ae owner of the data only to release the test data in Ae first 
instance. The service provider, ie. Ae insurance underwriter, acts on Ae test data as if 
it were Ae real data because Aey cannot tell that only test data has submitted. The 
results ofAe tests are cxaniined by Ae node using Ae rules in Ac usage information. If 
30 qjpiTjpriate, the node permits Ae executable to be ^lied to Ae real data. Altonatively 
Ae results of Ae test data arc returned to the us» using Ae same data transport and 
handling techniques arc described above. The individual can examine Ae results 
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retimed fiom the operation of the tert dala, aal if they approve the 

real data to the service provider, the individual republishes his private data with 

pennission to execute the service on the private data. 

5 A platform may promiscuously test plications to determine their suitability to process 
private data and may use result rules included in the usage rules, or submit results to the 
user for explicit approval (as previously described). If an appUcadon is suitable, the 
resuhs may be appended to the private data. Resultant private data may be 
communicated to the entity responsible for the application. Resuhant private data may 
be communicated to the platfbnn that provided the private date. A copy or copies of 
resultant private data may be pubh'shed (as described above). 



A platform may promiscuously test applications in private data to determine their 
suitability to process other data, and may use result rules included in the usage rules, or 
submit results to the user for expUdt approval (as previously described). If private date 
is suitable, the results may be appended to die private data. Resultent private date 
be communicated to the entity responsible for the application. Resultent private date 
may be communicated to the platform that provided the private date. A copy or copies 
of resultant private date may be published (as described above). 

Using private date to determine whether resulte are acceptable may require copying of 
private date to other nodes. This is the case when a particular usage of private date 
does not contain result criteria, or the result criteria ait masked. 

Specutative appUcations can be of use when the private date relates to, for example, an 
individual's finances and the trusted node holds an individual's bank account 
information but does not belong to the bank and instead executes the bank's 
plicatiOTs fliat manage die individual's account A speculative application that mi^t 
be vahiable to fte user mi^t be a third party savice that verifies that the bank is 
managing die account correctly, for example paying the correct amount of interest when 
the account is in credit or deducting the correct changes when the account is in debt 
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In a further exanq>Ie of the present invention, Ox second busted node of flic above 
euofit may detect fliat an instruction is being issued to it by its owner that wiU initiate 
a diange in flie configuration of flie node. An extreme exanqile may be that the node is 
being instnicted to give data out to any third party that itquests it. 

5 

Givai that flie node is a trusted node, it must iSist dieck flnougfa all flie private data that 

it is hosting and check wfaettier the data could still be held on that node, in accordance 
wifli the security provisions specified by the owner of the data once flie node has 
changed to its new configuration. For data ttiat cannot continue to be held, the node 
10 del^ the cootroUing key or keys in its trusted module 550 that provides access to the 
data fiom its trusted module 550. Thus, even if the data on flie node is natotd fiom 
back vp systons, flie private data does not become accessible because die decryption 
means was held wiflim flie 1FM and has been destroyed. 

15 Only when all private data fliat cannot continue to east in flie new configuration has 
been rendered unusable can flic node then ioqilement its change of configuration, 

h anoflier example, it is hi^ likely fliat an individual will hold personal files on his 
peraonal conqmter. The personal files may contain private infimnatioa There may 

20 also be innocuous test files ttiat have dummy infomiation which is broadly consistent to 
or equivalmtwifli flic real private information. Thus any test field is of flie same type 
as an equivalent field in flie real data, such fliat bofli can be manipulated in the same 
way. Tlie data may also include means for intenogating die integrity of a target 
platforai, sudi as die misted conqiuting platfonn alliance's Oilatform configuration 

25 register, PGR) values fliat indicate or define flie properties of flie platforms diat may 
host flie private data. TTie data may also include a randomly generated ID, for exanqile 
of 20 bytes or so, which is flierefore likely to be unique during flie time fiame for which 
flie data is required. Tlie con^uter wiU also store a depositary key, a public key used to 

verify the signature over all signed private data and suCRcient keys ftirefoably randomly 
30 chosen) to encrypt aU flie personal files. Tlie conputer also may contain one or more 
statements concerning flie intended or nundatoiy use of die private data. TTius one 
statement may define fliat flie data is for use by textiiral editors or spreadsheet 
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calculates. A further statement may intfcate flat the data may 
within the UK. The lestriction on duplication may be modified, for example by 
specifying that the duplication is limited to web sites mamfested in aiipoit lomiges 
during a predetennined time period 

Ihe individual may also have a PDA thai contains suppwting private infonnalion. 
primarily the masking infimnalion, but not the personal files. 

In Older to prqwe fi)r access to his data, the user instiucts the computer to 
tenporaiy copy oflhe private data it holds. Ihe computer masks aU the pen«)nal real 
and test data files by asymmetrically (say) enciypting with the relevant mask 
infomution (that is security control infomiation) supplied ftom the PDA. TTie 
computer semis the temporary copy, optiomdiy via an anonymity service, to a service 
that acts as a gateway to the airport comput as in airport lounges. 

TTie gateway distributes the private data to the airport computeis in accordance with the 
distribution parameters contained wifliin the statements of use. 

When visiting an airport lounge, the individual comiects his PDA to the complementary 
computersystemprovidedinthe airport lounge. The PDA then searches for the private 
data bdonging to the tmtividual. 

Having found the individual's data, the PDA issues a challeuge to the aiiport computer 
to detemiine if it has a tnisted computer amhitectuie. Having verified that this is so the 
PDA infonns the user ^ipfopriately. 

When an individmil wishes to use omj of his files, the PDA contacts the airport 
computer and asks it to demonstrate that it hosts appUcations capable of generating the 
desired results fiom the private data. In order to confirm this, the PDA supplies the 
aiiport computer with umnasking data that will unmask the test data; the airport 
computer may nm the appLcation on the test data in the private data, producing an audit 
trail or log of transactions as it executes the process. 
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Optionally the airport computer also provides an enwypted version of an indemnity or 
some otho "hostage data" in order to compensate the individual for misuse or violation 
of his data The hostage data can be decrypted preferably in cooperation with a third 
party, who releases or enables release of the hostage data when conditions justiiy such 
5 release, such as when private data has been misused. 

If tests using test data were satia&ctory, the PDA can then supply die airport computer 
with the u nmasHn g data that allows decryption of flic real pasonal data. Theaiiport 
computer thm decrypts flie real personal data and permits the individual to mmipiTifltr 

10 the decrypted file using the some program that operated on flie test data. Anaudittiail 
is generated as before. 

At the end of the user's session (which might be complementary or involve a fee) flie 
airport conqjuter uses flie masking data to rmder flie personal data confidential. Then 
15 flie airport computer copies flie private data, appends flie masked (aicr>pted) altered 
personal file, mcrypts ttie resultant object witti flie public depository key wifliin flie 
private data, sppcoAs flie ID from flie private data and publishes ttie data on its web site. 
This can also be done on an airport website or a fliird party site for recovering such 
data. 

20 

When flie owner of flie data wishes to retrieve it, he visits flie web aitc, possibly making 
. sure fliat he captures sufficient published objects to prevat an observer fiom deducing 
his idoality or interests. When flie individual finds an object fliat matches his JD flie 
individual atten^ts to decrypt flie object If flie decryption succeeds and contains 
25 unmasked data .fliat matches his own, flicn tfie individual recognises flie published 
object as his own. He can ttien proceed to recover flie masked altered data file and to 
use flic original mask or security control to replace flie original file wifli flie altered file. 

Hie present invention can fiuflier be udKsed in order to facilitate flie delivery of 
30 physical goods. Carriers waste a lot of time when fliey attempt to deliver goods to a 
household but find fliat flicre is no one fliere to accept delivery. The carrier cannot 
easily avoid fliis, as fliey cannot discover in advance whcflier and when someone will be 
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present in the household because householdos are reluctant to disclose such 
infonnation. The main leasons for their rehctance is that householders cannot be sure 
that the enquiry is legitimate, and even if it is, they cannot be sure that the infimnation 

wiD not leak to an undesirable person. In short, they fear that tfaey will be burgled, or 
5 Bnfier 8 loss of privacy. 



Qmently, delivery companies try to overcome this problem by leaving the package 
with a neighbour or leaving a card to indicate that a deHveiy was attempted and that a 
given person should be contacted to arrange a repeat deUvety. TTiis is an inconvenient 
and uneconomic process for the delivery conqjany, and inconvenient and irritating for 
the customers. 



In order to overcome this, a household may have a systan arranged to automatically 

detect the presence of people within the house or to maintain a diary fliat indicates fte 
current and esxpected presence of persons at that address. The diary can also indicate 
whether a delivery would be accepted. Such infonnation may be treated as much as 
private data as the name and address of the household. Private data, including the 
location information, may be held on the household's computer operatmg in accordance 
wifli the present invention, and propagated to a deKvery conqjany's conqjuter operating 
in accordance with the present invention. NatmaUy. the household should verify that flie 

carrier is known to the housefaoM. and is blown to be tnutwoi%, before p^ 
the private infonnation to the deliveiy conqjany's conq)utcr. 

The carrier maintains a database ofgoods to be delivered. Hie database is held within a 
tnisted computing platfonn having audit privacy. In use. the canier enters the address 
of flie intoided delivery into the database. The carrier siqipUes an executable program 
that operates on the household data to reveal when the householder is in. but not whm 
flie householder is out The platfonn verifies that this type of prognun is pennitted to 
use the private data supplied by the household. The canier can observe neither the 
private data nor the results of the enquiry, and hence ndtlor the computer administrator 
nor a conqjuter user can deduce the times that a house is unoccupied. The earner's 
database then attempts to match the expected presence of someone in the household 
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wilh a delivay schedule, and to schedule ddivaies as app^ TTie earner's 
dalahase may notify the household that a dehveiy is scheduled. 

The earner's personnel cannot quciy or inspect the database to fiiul ft^ 
goings of the occupants of the household because the database is on a tajsted 
computing platfonn that uses TCPA technology (or equivalent) and trusted 
compartment technology (or equivalent) to iaohte data Cinchiding appHcalions and 
iesults)fiom the administrator and user of the phufbrm. TTnis the carrier's pcrsomie! 
are notified only of a delivery via the deliver schedule. 

Preferably the carrier's database randomly selects delivay times fh>m a selection of 
possible delivery times in order to decrease the probability that times that art not 

scheduled delivery times can be assumed to indicate the absence of a person a^ 

deliveiy address. 



Advantageously the semler of the goods enters the addrtss of (he intended delivery into 
the carrier's database and receives an identification value or token (hat does not include 
the delivery address. Tie sender can (hen address the goods with the identification 
token rather than the conveniently (physical) delivery address. Preferably the deHvcry 
schedule is given to the driver in electronic fomi and a deUvery address and 
identification are not revealod to the deUver until the schedule indicates that those 
goods are the next to be deliven^ » is thus possible to use the secure handliqg of 
infomiation in accordance with the pieaent invention to fiidlitate the operation of 
services that would otherwise invo^e a security risk. 
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CLAIMS 



1. Ametl«)dofcoiilioIlingtheiTOcc8^ 

plurality of usage mles for a pluraUly of data items, and applying individualised usage 

5 . lules to each of the data ittans based on a nieasunmem of integrity of a 
entity to which Ae data items are to be made available. 

2. A method as claimed in claim 1, in which at least some of the usage rules 
comprise masking instructions ftrmasking the associated data items. 

3. A method as claimed in claim 2, in which a data item is masked fiom a set of 
10 databyenoyptingit 

4. A method as claimed in claim 3, in which a data item is encrypted with'an 
associated encryption key. said encryption key being different for different ones of the 

data items. 

5. A method as claimed in claim 1, in which the usage rules define security rules 
15 for the associated data item. 

6. A method as claimed in any one of the preceding claims in which the data may 
be transferted between computing entities and the instantiation of the data at each 
conpiting ariity depoids on the a^abililies of that entity. 

7. A method as claimed in claim 6, in which a computing entity is a computing 
20 platibm). 

8. A method as claimed in claim 6. in which the computing entity is a software 
inocess. 

9. A method as ckimed in any one of the preceding claims in which a computing 
entity can reliably and irrevocably deny future access to selected data items. 

25 10. Amethodasclaimedinclaim9.inwhichmeansfor8ccessingthedatais8torcd 

wiihm a protected memoiy. 



II A method as claimed in claim 10, in which the protected memory is within a 
tnisted computing module. 

12. A method as claimed in any one of the preceding claims, in which computing 
mlities negotiate with one anoflicr concerning the use of the data hcfore the data is 
made available. 

13. A method as claimed in any one of the preceding claims in whidi tfie data has 
constraints defining ccnditions for use of tte data. 

14. A method as claimed in claim 13, in which the constraints define at least one 
item selected fifom: 

a. the purpose for which the data can be used 

b. die geographical area in which the data may be manifested 

c. the temporal domain in v/Hcii the data maybe manifested 

d. the computing platforms that may manipulate the data. 

15. A method as claimed in any one of the preceding claims in which the data 
fizrther includes test data. 

16. A method as claimed in claim 15, in which the structure of test data is 
ccHuparable to tiie structure of real data oontatned by dte data items. 

17. A method as claimed in claim 16, in which the rcsuhs of operations performed 
on the test data are exarnincd in onlcr to make a decision on whether to release the r^ 
data to a node that operated on the test data. 

18. A method as claimed in any one of the preceding claims, in ^ch a node 
requesting access to the data sialics hostage material to the node issuing the data prior 
to the issuance of the data. 

19. A method as claimed in claim 18, in which a third party hostage release 
authority is contacted to activate ttie hostage material. 



20. A mdhod as claimed many one ofthe preceding claims in whic^ 

itself in possession of data whose history or content do not meet piedetennined 
requiranents, fonnats die data and places it in a iqjosiloiy. 

21. A method as claimed in claim 20, in which the data placed in the reposit^ 
S an eno^^ited fomi. 

22. A method as clahned in chum 21, in which the data is encrypted using a public 
key inchsled in the data. 

23. Amcfliodaschdmedinclaim21 or22.inwhichthedalainlherepositoiyi8 
associated with an identification means to enable the owner of the data to identify it 

10 24. A method as churned in any one of the preceding claims, in which a node 
wishing to present the data for retrieval phices the data in a repository. 

25. A method as claimed in claim 24, in which the data is placed in the repository in 
enoypted form. 

26. A method as claimed in claim 25, in which the data is enoypted using a public 
IS key incloded in the data. 

27. A method as cfanmed in claim 26, in which the data in the repository is 
associated with idonlification means to enable the owner of the data to identify it 

28. A method as claimed in claim l.m which constraints associated with the data 
determine whether the data wiU process on anything other than a trusted computing 

20 platform. 

29. A method as claimed in claim 28, in which constraints associated wifli the data 
detemiine whether the data and/or results from processing the data are inhibited fiom 
viewing by a computing platform owner or administrator. 

30. A mediod as claimed in any one of the preceding chiims in which the security 
25 contracts are Stored separately from flie data. 
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31. A method as clainied in any one of the preceding claims in which rrmit or 
decryption keys are stored separately from the data. 

32. A method as claimed m any one of the preceding claims in whidi a coiq)uting 
entity that recdves data signs the data with a dgnature key bebng^ 

5 33. A method of ccmtroUing the processing of data, wherein the data coofnises a 
pluraUty of rules associated with a phnality of data itons, said rules acting to define flie 
use of die data or securi^ to be observed y»fim processmg the data, and in which 
forwarding of the data is pedbmied in accordance wi& mask means provided in 
association with die rules. 

34. A method as claimed in claim 33, in which the mask comprises at least one of a 
symmetric encryption string, symmetric encryption key, and an asymmetric encryption 
key. 

35. A method as claimed in claim 33, in which the rules associated with the data 
items are adhered to in preference to data handling rules associated with a computing 
entity processing the data. 

36. A method as claimed in claim 33, in which at least some of the rules oon^mse 
masking instructions for tttfljaVwg the associated data items. 

37. A method as claimed in claim 36, in which a data item is masked from a set of 
data by encrypting it 

20 38. A method as claimed in claim 37, in which a data item is encrypted wiA an 
associated encryption key, said encryption key being diflFcrent for diflFercnt ones of the 
data items. 

39. A method as claimed in any one of claims 33 to 38 in which the data may be 
transfened between computing entities and the instantiation of the Hflta at each 

25 computing entity depends on the cq>abilities of the entity. 

40. A method as claimed in claim 33, in which the rules define at least one item 
selected from: 
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a. the purpose for which the data can be used 

b. the geographical area is which the data be fflanifested 
c the temporal demaxD in which the data may be manifested 
d. the computiiig platfbnns that jnsy manipulate the j«ta 

41. A method as claimed in any one of claims 33 to 40 in which Qie data further 
inchides test data, the test data is conqiarable to the stroctore of real data contained by 
the data items, and in which the results of operations performed on the test data axe 
examined in ordo' to make a decision on whether to rtlme the real data to node that 
operated on t he test data. 

42. A method as claimed in claim 33» in which a conq>ttti]3g entity finding itself in 
possession of data whose history or content do not meet predetermined requirements, or 
wishing to make data available because it has performed some processing in at least 
partially masked form, formats tiie data places it in a repository. 

43. A computer program for instructirig a programmable computer to implement the 
method of any one of claims 1 to 42. 

44. A processing system for processing private data, wherein the private data 
oonqirises a plurality of data fields md each field is associated with customisation data 
that contTDls the use and propagation of the data, and wherein the processing system is 
subservient to the constraints deferred by the customisation data. 

45. A computing device arranged to receive data and security rules associated with 
the data, and in which forwarding of the data is performed in accordance with the 
security rules, including encryption keys, supplied with the security rules instead of 
with keys belonging to the security device. 
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